VPN between ASA and Draytek - with vpn-filter

Unanswered Question
Jan 7th, 2010
User Badges:

I have successfully established an IPSEC VPN between an ASA and a customers Draytek - the Draytek is using its Public IP for both the VPN Endpoint and for Nat'ing internal traffic over the VPN.  If I apply a vpn-filter statement to the ASA configuration (using group-policies) - the VPN still establishes to Phase2 - but no packets are decrypted/decapsulated from the customer.

I wondering if its because the customer is using his Public IP for both the VPN endpoint and for nat'ing...any thoughts...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
yamramos.tueme Thu, 01/07/2010 - 15:41
User Badges:

Have you checked if you are encrytping packets on your end?  It could be that your end is not sending traffic.

gammatel1 Fri, 01/08/2010 - 08:28
User Badges:

There are no packets being encaps or encrypted - but the customer initiates the VPN connection and data stream and I dont see any packets being decapsulated or decrypted.  The vpn-filter ACL is applied to traffic once it is decapsulated and decrypted - but since there are not packets being received (out of the VPN) the vpn-filter ACL is not seeing any hits.  Removing the vpn-filter ACL and group-policy means that the packets flow correctly over the VPN ie: packets are decaps/encaps and decrypt/encrypt correctly.

I have a load more VPNs using vpn-filters that work perfectly - but this VPN is the only one where the customer uses the same IP for both the VPN tunnel endpoint and for NATing his traffic over the VPN.


This Discussion